EXPLORE DETECTIONS
Application Uninstalled
An application has been removed. Check if it is critical.
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
Application Using Device Code Authentication Flow
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
Applications Spawning CMD or Powershell
Table listing processes that spawned cmd.exe or powershell.exe child processes.
Applications That Are Using ROPC Authentication Flow
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
Applications with plaintext passwords
Table of applications identified as potentially handling plaintext passwords. Falcon automatically attempts to redact plain-text passwords in process command lines to prevent sensitive data exposure. When this occurs, the password string is replaced with the marker `/REDACTED/`. Therefore, during analysis we specifically look for the `/REDACTED/` placeholder within command-line arguments as an indicator that Falcon has detected and masked a potential plain-text password. Reference: https://www.reddit.com/r/crowdstrike/comments/u8ji4i/commandline_redacted/
AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
AppX Located in Known Staging Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
AppX Located in Uncommon Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
AppX Package Deployment Failed Due to Signing Requirements
Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
AppX Package Installation Attempts Via AppInstaller.EXE
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
APT Package Manager Configuration File Creation
Detects file creation events in the configuration directory for the APT package manager. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on (by default) Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.
APT User Agent
Detects suspicious user agent strings used in APT malware in proxy logs
Arbitrary Binary Execution Using GUP Utility
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
Arbitrary File Download Via ConfigSecurityPolicy.EXE
Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.
Arbitrary File Download Via GfxDownloadWrapper.EXE
Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
Arbitrary File Download Via IMEWDBLD.EXE
Detects usage of "IMEWDBLD.exe" to download arbitrary files
Arbitrary File Download Via MSEDGE_PROXY.EXE
Detects usage of "msedge_proxy.exe" to download arbitrary files
Arbitrary File Download Via MSOHTMED.EXE
Detects usage of "MSOHTMED" to download arbitrary files
Arbitrary File Download Via MSPUB.EXE
Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
Arbitrary File Download Via PresentationHost.EXE
Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
Arbitrary File Download Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Arbitrary MSI Download Via Devinit.EXE
Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system